Cannot renew certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: goto-technologies.com
Sub domains are crm and mautic

I ran this command: sudo certbot renew --dry-run --preferred-challenges http
sudo certbot renew --dry-run
sudo certbot renew all no joy

It produced this output:sudo certbot renew --dry-run --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/crm.goto-technologies.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for crm.goto-technologies.com
http-01 challenge for mautic.goto-technologies.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (crm.goto-technologies.com) from /etc/letsencrypt/renewal/crm.goto-technologies.com.conf produced an unexpected error: Failed authorization procedure. mautic.goto-technologies.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://goto-technologies.com/wp-signup.php?new=mautic [174.58.35.155]: "\n\n<html lang=“en-US”>\n\n\n\n<meta charset=“UTF-8”>\n<meta name=“viewport” content=“width=device-width, initial-”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/crm.goto-technologies.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/crm.goto-technologies.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mautic.goto-technologies.com
    Type: unauthorized
    Detail: Invalid response from
    http://goto-technologies.com/wp-signup.php?new=mautic
    [174.58.35.155]: "\n\n<html
    lang=“en-US”>\n\n\n\n<meta charset=“UTF-8”>\n<meta
    name=“viewport” content=“width=device-width, initial-”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version): Server version: Apache/2.4.37 (Ubuntu)
Server built: 2018-10-28T15:26:37

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
Self Hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin 1.9

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0


#2

Hi @jharl

there are different problems.

Your mautic has a wrong redirect ( https://check-your-website.server-daten.de/?q=mautic.goto-technologies.com ):

If you use http-01 - validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file. But this subdomain has a redirect to your wp-login, that can’t work.

So you should remove this redirect.

Your two other domains are better: http + crm redirects to https, then a 404, if the file is unknown, this is ok. Same with your main domain.

How are the vHosts and webroots configured? Do you have three different vHosts with three different webroots? If yes, it may be easier if you create three different certificates.

Sample www + non-www:

certbot run -a webroot -i apache -w yourWwwWebroot -d goto-technologies.com -d www.goto-technologies.com

It’s may be easier to split the problems. Or without -i apache, instead --dry-run to create a test-certificate (not installed).


#3

JuergenAuer thanks for replying . I need a simpler explanation for this if it is possible. since I have first issued my certs I have moved to using FPM based apache as I need different versions of PHP. the redirect that I am using for my mautic site is for FPM.

please see mautic .conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerName mautic.goto-technologies.com
# Optionally have other subdomains also managed by this Virtual Host
ServerAlias mautic.goto-technologies.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/mautic
<Directory /var/www/html/mautic>
Require all granted
# Allow local .htaccess to override Apache configuration settings
AllowOverride all
</Directory>

# Enable RewriteEngine
#RewriteEngine on
#RewriteOptions inherit

# Block .svn, .git
#RewriteRule \.(svn|git)(/)?$ - [F]

# Catchall redirect to www.example1.com
#RewriteCond %{HTTP_HOST}   !^www.example1\.com [NC]
#RewriteCond %{HTTP_HOST}   !^$
#RewriteRule ^/(.*)         https://www.example1.com/$1 [L,R]

# Recommended: XSS protection
#<IfModule mod_headers.c>
#Header set X-XSS-Protection "1; mode=block"
#Header always append X-Frame-Options SAMEORIGIN
#</IfModule>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect to local php-fpm if mod_php is not available

<IfModule !mod_php7.c>

# Enable http authorization headers

SetEnvIfNoCase ^Authorization$ “(.+)” HTTP_AUTHORIZATION=$1

<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.1-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
    Require all denied
</FilesMatch>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =mautic.goto-technologies.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

mautic ssl conf

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly.
ServerName mautic.goto-technologies.com
# Optionally have other subdomains also managed by this Virtual Host
ServerAlias mautic.goto-technologies.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/mautic
<Directory /var/www/html/mautic>
Require all granted
# Allow local .htaccess to override Apache configuration settings
AllowOverride all
</Directory>

# Enable RewriteEngine
#RewriteEngine on
#RewriteOptions inherit

# Block .svn, .git
#RewriteRule \.(svn|git)(/)?$ - [F]

# Catchall redirect to www.example1.com
#RewriteCond %{HTTP_HOST}   !^www.example1\.com [NC]
#RewriteCond %{HTTP_HOST}   !^$
#RewriteRule ^/(.*)         https://www.example1.com/$1 [L,R]

# Recommended: XSS protection
#<IfModule mod_headers.c>
#Header set X-XSS-Protection "1; mode=block"
#Header always append X-Frame-Options SAMEORIGIN
#</IfModule>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect to local php-fpm if mod_php is not available

<IfModule !mod_php7.c>

# Enable http authorization headers

SetEnvIfNoCase ^Authorization$ “(.+)” HTTP_AUTHORIZATION=$1

<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.1-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
    Require all denied
</FilesMatch>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/crm.goto-technologies.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/crm.goto-technologies.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

crm conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

ServerName crm.goto-technologies.com
# Optionally have other subdomains also managed by this Virtual Host
ServerAlias crm.goto-technologies.com
ServerAdmin jack@goto-technologies.com
DocumentRoot /var/www/html/suitecrm

<Directory /var/www/html/suitecrm>
Require all granted
# Allow local .htaccess to override Apache configuration settings
AllowOverride all
Options +FollowSymlinks
</Directory>

# Enable RewriteEngine
#RewriteEngine on
#RewriteOptions inherit

# Block .svn, .git
#RewriteRule \.(svn|git)(/)?$ - [F]

# Catchall redirect to www.example1.com
#RewriteCond %{HTTP_HOST}   !^www.example1\.com [NC]
#RewriteCond %{HTTP_HOST}   !^$
#RewriteRule ^/(.*)         https://www.example1.com/$1 [L,R]

# Recommended: XSS protection
#<IfModule mod_headers.c>
#Header set X-XSS-Protection "1; mode=block"
#Header always append X-Frame-Options SAMEORIGIN
#</IfModule>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect to local php-fpm if mod_php is not available

<IfModule !mod_php7.c>

# Enable http authorization headers

SetEnvIfNoCase ^Authorization$ “(.+)” HTTP_AUTHORIZATION=$1

<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.3-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch "\.php$">
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
    Require all denied
</FilesMatch>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =crm.goto-technologies.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

crm ssl conf

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly.
ServerName crm.goto-technologies.com
# Optionally have other subdomains also managed by this Virtual Host
ServerAlias crm.goto-technologies.com
ServerAdmin jack@goto-technologies.com
DocumentRoot /var/www/html/suitecrm

<Directory /var/www/html/suitecrm>
Require all granted
# Allow local .htaccess to override Apache configuration settings

AllowOverride all
</Directory>

# Enable RewriteEngine
#RewriteEngine on
#RewriteOptions inherit

# Block .svn, .git
#RewriteRule \.(svn|git)(/)?$ - [F]

# Catchall redirect to www.example1.com
#RewriteCond %{HTTP_HOST}   !^www.example1\.com [NC]
#RewriteCond %{HTTP_HOST}   !^$
#RewriteRule ^/(.*)         https://www.example1.com/$1 [L,R]

# Recommended: XSS protection
#<IfModule mod_headers.c>
#Header set X-XSS-Protection "1; mode=block"
#Header always append X-Frame-Options SAMEORIGIN
#</IfModule>

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Redirect to local php-fpm if mod_php is not available

<IfModule !mod_php7.c>

# Enable http authorization headers

SetEnvIfNoCase ^Authorization$ “(.+)” HTTP_AUTHORIZATION=$1

<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.3-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
    Require all denied
</FilesMatch>
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

SSLCertificateFile /etc/letsencrypt/live/crm.goto-technologies.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/crm.goto-technologies.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

there are the apache redirects for FPM. please advice as needed.

Best regards
john


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.